Monday, August 25, 2008

Poking around the newsgroups, and Windows Small Business Server 2008 support communities, we've seen a lot of confusion regarding the new Monitoring and Alerting infrastructure included with the 2008 version of the product. Adrian wanted to provide some in-depth deep dive into the solution.

In Windows Small Business Server 2003, the Monitoring and Alerting was provided by a Microsoft product called "Health Monitor" or HealthMon for short. HealthMon was an extremely old application, rectified in the 2003 timeframe for SBS only, but was beyond the end of its development lifecycle. Impossible to maintain and improve for future versions. As a result, HealthMon is not included with the 2008 product.

So let's focus on what we do have.

The heart and soul of the infrastructure is the Windows SBS Manager Service. This service drives a series of tasks including: Report Generation, WSUS Configuration & Update Approvals, Server Backup, Other alerts (Data collection tasks, domain name provider tasks, certificate expiry tasks, licensing tasks), Internal system maintenance (database clean up), and some ad-hoc things like Anti-Spam Safe List updates, and trimming down the Bad Mail directory.

The service is essentially on a timer for 30 minutes. Every 30 minutes, it wakes up and looks for tasks to do. What it does depends on the tasks scheduled time and recurrence. The service queues tasks, and only allows one task to run at a time, so as to avoid conflicts, and minimize any resource hits on the server as much as possible.

The service also supports the Other Alerts function which has a large set of included alerts with the server. Other Alerts are extensible by using the Windows Small Business server 2008 SDK. In fact, as I posted earlier, the MVPs have started an Alert Sharing Web Site over on CodePlex.com. The scope of Monitoring and Reporting does vary depending on what the host Operating System of the client is, the table below breakouts the level of monitoring and reporting available:

SBS Server

Domain Joined Client

2nd Server & additional Servers

Auto-Start Service Monitoring

Yes

No

No

Key Event Log Entry Monitoring

Yes

No

No

Disk Space Monitoring

Yes

Yes

Yes

Anti-Virus/Anti-Spyware Status

Yes

Yes

No

Host Firewall Status

Yes

Yes

No

The Other Alerts for each computer are displayed on the Computers Tab against each computer, and of course if you specify an e-mail address on the property page of the View Notifications Settings, you will get emailed when an alert fires.

The Other Alerts have two ways to resolve:

A Clearing Condition is received

For example, Alert ID 1 fires, and shows an alert, if the condition is fixed when Alert ID 2 appears, then the Alert ID 1 is cleared and there is no longer an error

A Timeout occurs

Many problems are caused by external sources, such as the ISP being down. So if there is an alert that your DNS record can't be updated, simply waiting until the Internet connection comes back will resolve the alert. Thus if the Event ID 1 happens once and then never happens again (by default the clearing timeout is 30 minutes, but can be changed alert by alert individually).

Note: If you're writing alerts, you cannot use a combination of above.

IMPORTANT: An "Other Alert" created by an Event ID condition may have a latency of up to 30 minutes, based on the Data Collection service runs every 30 minutes.

General Alert Comments

Configuring the Alerts to be E-mailed

To enable the "Other Alerts" to be directly e-mailed to the administrator, you need to specify the e-mail address(es), simply navigate to the Computers Tab, and click View Notification Settings. When an "Other Alert" is specified to be an alert, it will be included in the reports and be emailed within the 30 minute window. Removing an Alert removes it from both as well.

An Alert E-Mail may be sent more than once if there is no timestamp for tracking when the condition occurred

e.g, service start-ups, disk usage, etc. These are Windows Management (WMI) based queries and we cannot identify when the condition exactly occurred

Items from the Event Log should be generated only once

The data for the service is all maintained in a SQL 2005 Express data store.

For Troubleshooting, make sure the service is running

Additionally check the log files in c:\program files\windows small business server\logs\monitoring\

Well, the SBS 2008 console is not extensible. you can only add items on the security tab, or add health alerts. So there is no add-in model for the dashboard. The add-in model applies to WHSv1, SBS 2011 Essentials (not standard) and WHS 2011. All other Server Solutions Sku do not have extensible consoles.

is Windows SBS Manager Service service configurabile as to how often to wake up and what time of the day. I find that quite freqently my server boggs down because of excessive activitity from SBS Monitoring